Last Modified: Nov 07, 2022
Affected Product:
See more info
BIG-IP (all modules)
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3
Fixed In:
12.0.0, 11.6.0 HF4, 11.5.3, 11.4.1 HF9
Opened: Aug 20, 2013
Severity: 3-Major
Related Article:
K15157
SAML AuthRequest and Assertion generation could fail if the configuration (IdpEntityID, ACS, SAML Attributes, and so on) contain special XML characters, such as [&,<,>,",'].
SAML AuthRequest and Assertion generation could fail.
- Assertion signing is enabled on BIG-IP as IdP. - SAML Configuration (IdpEntityID, ACS, not-encrypted SAML Attributes, ACS URL, SP Entity ID, SLO URL) contains special characters, e.g. [&,<,>,",']
You can replace special XML character with XML-escape codes in the configuration: " " ' ' < < > > & & For example, replace "http://f5.com/acs_url?user=5&password=pass" with "http://f5.com/acs_url?user=5&password=pass"
The BIG-IP system, when configured as an Identity Provider (IdP), can now successfully create SAML assertions even when the BIG-IP configuration contains special XML characters.
